Nginx: HTTP/2 might stop working on May 15th with Chrome clients

[VincentD]

Hello,

First of all, I would like to thank the Plesk team for all the good work so far! I tried many solutions, paid and free, and I always come back to Plesk. It just makes sense to me.

Now, as you may know, Plesk 12.5 now supports HTTP/2 through Nginx if you enable it! Which is great.

Plesk supports (as I read folders from the repo) Debian 6/7/8, Ubuntu 12.04/14.04, and CentOS/RHEL/CloudLinux 5/6/7. Last I checked, all these distros use OpenSSL 1.0.1.

HTTP/2 requires ALPN (Application-Layer Protocol Negociation) to negociate the protocol with the client. Since only OpenSSL versions 1.0.2 and up support ALPN, there is the option of using NPN (Next Protocol Negociation), inherited from SPDY.

Google first decided to support HTTP/2 only with ALPN, but backpedalled when they realized it would stymie HTTP/2's deployment. Up until now, they support both NPN and ALPN.

This all changes on May 15th for Google Chrome. They will deprecate SPDY, and along with it NPN support.

This leaves us with Plesk's situation: HTTP/2 won't be operational for Chrome clients in about 4 days.

The only method I have found so far is to take Nginx's configure line, get the same version as what plesk has, compile it with OpenSSL 1.0.2 baked in, and replace the binary. It works fine like this, but it will break as soon as the Plesk team updates Nginx.

My question is the following: would the Plesk team statically link OpenSSL 1.0.2 into its Nginx packages, since all distros have older versions? Thoughts on this?

This would solve many headaches in advance

Thanks for reading me!

 

[IgorG]

According to your reference:

Servers that do not support HTTP/2 by that time will serve Chrome requests over HTTP/1.1, providing the exact same features to users without the enhanced performance of HTTP/2.

ALPN extension is available only since openssl v1.0.2 that is not supplied by OS vendors yet for those OSes that are supported in Plesk 12
Following thread can be interesting for you - https://talk.plesk.com/threads/how-rebuilt-nginx-to-support-openssl-1-0-2.337942/
Here is discussion of this issue - https://bugs.chromium.org/p/chromium/issues/detail?id=557197

 

[themew]

Please correct me if I'm wrong, but it seems that the ALPN issue has been addressed in openssl 1.0.1t - https://www.openssl.org/news/openssl-1.0.1-notes.html

If so, would it be possible for Plesk to update us to 1.0.1t or post an update method for those of us that use nginx with HTTP/2?

 

[IgorG]

Please correct me if I'm wrong, but it seems that the ALPN issue has been addressed in openssl 1.0.1t - https://www.openssl.org/news/openssl-1.0.1-notes.html

If so, would it be possible for Plesk to update us to 1.0.1t or post an update method for those of us that use nginx with HTTP/2?

It is not added new feature to 1.0.1, it is just additional specific reaction to ALPN requests from clien's side.
ALPN feature is supported only in 1.0.2 version

 

[IgorG]

The ALPN (Application-Layer Protocol Negotiation) support for nginx was added to Plesk, making HTTP/2 available in the Chrome browser - http://docs.plesk.com/release-notes/12.5/change-log/#12530-mu35

 

[nMLxTMJTZ]

you use a custom version of nginx?

 

[IgorG]

you use a custom version of nginx?

Yes.

 

[trialotto]

@IgorG,

It would be nice to have emphasized more clearly that some changes in decisions with respect to Google Chrome do not affect HTTP/2 request serving by Nginx, as shipped with Plesk.

For instance, the custom Nginx binary shipped with Plesk implies that a (custom) recompilation of Nginx is not required, in order to tackle the Chrome related issues.

Moreover, it should be emphasized that some or most OSes, like Ubuntu, have their own OpenSSL versions, with the version numbers not exactly coinciding with the numbers from OpenSSL.org, even though many patches and extensions (such as the ALPN extension) are (often, but not always) included in the OS provided packages.

It would be nice to have some comprehensive documentation about the topic, hence reassuring many forum members or Plesk customers.

Just a thought.....

Regards

PS It would also be nice to have some explanation why HTTP/2 is presented as the way forward, while the Plesk Panel itself is on "good old SPDY".

 

[PeaceMaker]

How does this affect anyone running Onyx Preview? Was planning on trying it out in a few days.

 

[trialotto]

@PeaceMaker,

That depends on a number of things, amongst others:

a) the question whether you use Nginx as a reverse proxy:

- if yes, HTTP/2 is only supported by Nginx versions 1.9.5 and higher
- if not, HTTP/2 is at best run via Apache,

b) the question whether you use Apache 2.4:

- if yes, HTTP/2 is only supported if you have version 2.4.17 (or higher) and have mod_http2 installed,
- if not, HTTP/2 support is not present,

c) the question whether you use HTTP/2 support at the Apache or the Nginx side (note: HTTP/2 support in Plesk 12.5.30 is at the Nginx side)

d) the question which OS you are using, given the fact that OS vendor packages are used for Apache core and most Apache modules

e) the question which OS you are using, given the fact that OS vendor packages are used for (various versions of) OpenSSL (note: most of them are patched to include ALPN extensions)

f) the question to which degree Nginx is compiled as a custom binary, with compilation using a specific OpenSSL version (note: the custom Nginx binary in Plesk is sufficient)

g) the question whether the pci_compliance_resolver tool has been used, given the relevant effects of the cipher suites implemented by this tool

h) the question whether customization of Apache, Nginx, cipher suites etc. has taken place

i) and so on......

and only then one comes to the one and important question: "does the browser (read: client) support HTTP/2 and to which extent?"


In short, Plesk Onyx will only serve HTTP/2 based request properly if a perfect combination of Nginx (or Apache), OpenSSL and other settings are present.

In conclusion, Plesk Onyx will support HTTP/2 properly, at least via Nginx.

Naturally, everybody can take wild guesses (like I did) or test Onyx, but we can only make an educated guess about the actual stack underlying the (actual) next Plesk release.

That is the problem: we can be sure that

- Nginx supports HTTP/2: Onyx will support HTTP/2 one way or another
- Google will keep on pushing for something they want everybody to implement: HTTP/2 protocol (there are a lot of people that do feel that the track toward HTTP/2 is to hasty)
- Issues will keep arising: the community is not entirely in agreement with respect to the fast track implementation of HTTP/2 protocol
- Google Chrome will be the "odd one out" browser: Chrome is an early adopter, for reasons stated in the second point

and hence nobody is sure about the future aspects of HTTP/2 protocol or the way of implementation in browsers.

Please note that there has been said a lot about HTTP/2, but the reality is that any Plesk release will support that protocol to at least some extent.

Hope the above explains a little bit, in specific about all the decisions a development team has to make in order to keep HTTP/2 support in check with reality.


Regards........

 

[IgorG]

PS It would also be nice to have some explanation why HTTP/2 is presented as the way forward, while the Plesk Panel itself is on "good old SPDY".

It's a question of priorities. Of course, we will do it for the panel. We just decided to implement this new technology for client sites first. I think you will agree that it has the highest priority?

It would be nice to have some comprehensive documentation about the topic, hence reassuring many forum members or Plesk customers.

It would be nice if you give us, let say, 5 main questions in FAQ format. Just 5 short questions. Nothing more. And we will explain each your question. I suppose that it would be good to have such FAQ for this topic. Isn't it?

 

[nMLxTMJTZ]

hi, i updated to mu#35 but my website https://chatme.im not work in http/2 on chrome

 

[IgorG]

hi, i updated to mu#35 but my website https://chatme.im not work in http/2 on chrome

This Chrome plugin indicates that HTTP/2 works fine for this site.

 

[nMLxTMJTZ]

i try in my chrome 51 with plugin and windows 10 and give me is not enabled

 

[IgorG]

i try in my chrome 51 with plugin and windows 10 and give me is not enabled

I use Chrome 51 on OSX with this plugin and HTTP/2 is enabled for this site:

 

[nMLxTMJTZ]

yes also for me in OSX work but not in windows 10

 

[themew]

i try in my chrome 51 with plugin and windows 10 and give me is not enabled

For complete results, try your url here > https://tools.keycdn.com/http2-test

HTTP/2 Test Result chatme.im
Yeah! chatme.im supports HTTP/2.0.
ALPN supported.

Looks like you're good to go. Ignore the browser error.

 

[trialotto]

@IgorG

Sorry for the late reply.

With respect to

It's a question of priorities. Of course, we will do it for the panel. We just decided to implement this new technology for client sites first. I think you will agree that it has the highest priority?

I can answer with "yes" and "no".

Yes, I do agree: with limited options left, one has to adopt the HTTP/2 protocol.

No, I do not really agree, the implementation of HTTP/2 is an ongoing and continuously "changing process": nobody benefits from early adaption if changes are sure to follow.

If you ask me, Google will not be able to enforce the HTTP/2 protocol, as long as they are messing around with Android, which mostly (only) supports HTTP/1.x (and is a security hazard)

With the above I simply try to demonstrate that Google´s objectives with respect to Chrome HTTP/2 support are essentially void, as long as Android is not taken care of.

With Google being one of the biggest advocates for the HTTP/2 protocol, actually realizing their own (original) objectives would mean that millions of Android devices are cut off.

In short, we can be sure of one thing (HTTP/2 is coming) and we can expect many changes in the implementation path.

By the way, it is not all about Google: in general, the "world" is not ready for "strict HTTP/2" (the world wants sites for all devices, including Android based devices) and the "world" is certainly not willing to invest huge amounts in certificates and/or not willing to use the concept of "shared certificates".

It would be nice if you give us, let say, 5 main questions in FAQ format. Just 5 short questions. Nothing more. And we will explain each your question. I suppose that it would be good to have such FAQ for this topic. Isn't it?

Well, some of the FAQ are already implicitly present in an earlier post of mine.

These questions should be considered as relevant FAQ:

1) what is the custom Nginx binary, shipped with Plesk, composed of and with which OpenSSL version is the custom Nginx binary compiled?

2) which OpenSSL version should I use, given a specific OS?

3) does it matter that the custom Nginx binary is compiled with a different OpenSSL version, as installed on the OS?

4) what are the consequences of activating HTTP/2 support via Nginx, will it affect requests from specific devices and/or does it mean that Apache requires HTTP/2 support?

5) why is it not possible to enable HTTP/2 support on a per-domain basis or (only) on the Apache side?

Naturally, the above mentioned 5 questions will be rather rethorical for both you and me, but the answers will (probably) be valuable for many forum members, primarily due to the fact that these answers are indicative of the design structure of Plesk, the possibilities to enable HTTP/2 support and the interactions or relations between the required packages.

Regards.......